Demonstrating their continued focus on right of access violations, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced 11 settlements and one HIPAA fine for medical practices across a wide variety of specialties.
An examination of the specifics of each incident cites several reasons by the covered entities for not providing the requested records, including:
- Complete failure to respond
- Withholding records because of nonpayment
- Misunderstanding the scope of a durable power of attorney
- Employee misunderstanding of HIPAA right of access
These actions by OCR illustrate that HIPAA compliance is about ensuring the privacy of patients’ protected health information (PHI) and providing patients with access to their health records in a timely manner.
Illinois Podiatry Practice Hit with $100,000 HIPAA Fine
OCR lowered the boom on ACPM Podiatry, based in Peoria, Illinois, with a $100,000 fine for HIPAA right of access violations. According to OCR, the agency provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter.
Following a second complaint from the same individual alleging ACPM had still not provided the requested records, OCR sent multiple requests for information, a Letter of Opportunity, and a Notice of Proposed Determination. After all of OCR’s attempts at communication were unsuccessful, the agency issued a Letter of Final Determination and a $100,000 civil monetary penalty.
New York Eye Practice is Too Late to Prevent $22,500 Settlement
Associated Retina Specialists, an ophthalmology practice in New York City, waited five months to respond to a patient’s request for her medical records. By that time, OCR’s investigation into the matter had been going on for three days. Associated Retina agreed to take corrective action and pay $22,500 to settle a potential violation of the HIPAA Privacy Rule right of access standard.
Maryland Dentist’s Failure to Comply Costs $5,000
A patient of Baltimore, Maryland, dentist Dr. Lawrence Bell, Jr.’s practice requested a copy of their medical records on July 15, 2019. Four months later, the patient filed a complaint with OCR because the records had not been provided.
The practice agreed to take corrective actions and has paid $5,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Florida ENT Practice Pays $20,000 to Settle Right of Access Complaint
Two requests for medical records from the same patient resulted in two complaints to OCR for Coastal Ear, Nose, and Throat (ENT) in Ormond Beach, Florida. The patient made requests in December 2020 and January 2021 and filed complaints with OCR in January and April 2021.
The practice did not respond to the patient’s requests until May 2021. Following an investigation by OCR, Coastal ENT agreed to take corrective actions and has paid $20,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Connecticut Psychiatry Practice Settles Right of Access Charge, Pays $3,500 HIPAA Fine
Danbury Psychiatric Consultants, LLC (DPC), of Danbury, Connecticut, received a request from a patient for her PHI on March 24, 2020, and three days later, a complaint was filed with OCR.
An investigation uncovered that DPC withheld the PHI because the patient had an outstanding balance with the practice. The practice also required a signed request or authorization request. All of the patient’s PHI was finally provided in September 2020, after OCR had begun its investigation.
DPC agreed to take corrective actions and has paid $3,500 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Upstate NY Hospital Agrees to $50,000 Civil Penalty
A complaint was filed with OCR alleging that Erie County Medical Center in Buffalo, New York, failed to provide a woman’s husband with a complete copy of her medical record. During the course of the investigation, the hospital did provide a complete copy of the requested records. The hospital is operated by Erie County Medical Center Corporation (ECMCC), a public benefit corporation.
ECMCC agreed to take corrective actions and paid $50,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Nebraska Family Health Clinic Pays $30,000 After Violating Right of Access
A Fallbrook Family Health Center (FFHC) patient in Lincoln, Nebraska, filed a complaint with OCR after three separate requests for her medical records went unfulfilled. FFHC claimed a former employee misunderstood individuals’ right of access under HIPAA.
The investigation by HHS found that FFHC did not provide the patient with a complete copy of her requested records as required by HIPAA’s right of access rules. The patient received her complete file in June 2020 following the investigation.
FFHC agreed to take corrective action and paid $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Massachusetts Nursing and Rehabilitation Center Right of Access Violation Costs $55,000
The mother of a patient at Hillcrest Commons Nursing and Rehabilitation in Pittsville, Massachusetts, submitted a request for his records in March 2020, which was signed by a Hillcrest representative two days later.
After four months of waiting, she filed a complaint with OCR in July 2020, alleging she had not received the requested information. The investigation revealed that Hillcrest failed to provide the documents until October 10, 2020.
Hillcrest agreed to a monetary settlement of $55,000 and agreed to a corrective action plan that includes two years of monitoring the state of their compliance with the HIPAA Rules.
Suburban Boston Healthcare Group Pays $55,000 After Durable Power of Attorney Mistake
The daughter of a patient at MelroseWalkefield Healthcare in suburban Boston, Massachusetts, acting under the authority granted by a signed durable power of attorney, requested her mother’s PHI in June 2020.
OCR received a complaint from the daughter in July 2020. An HHS investigation revealed that someone at MelroseWakefield had denied the request based on the incorrect belief that a durable power of attorney did not allow for the provision of the records.
After receiving OCR’s notice of investigation, MelroseWakefield reviewed the request a second time and determined the records should have been released to the daughter. Access to the records was granted in October 2020.
MelroseWakefield agreed to a corrective action plan that includes one year of monitoring their compliance with the HIPAA Rules. They also agreed to pay $55,000 in civil penalties.
Texas Health System Slapped with $240,000 Penalty for HIPAA Right of Access Violation
After making five requests for their PHI between June 2019 and January 2020, a patient of Memorial Hermann Health System, a non-profit health system comprising 17 hospitals in Houston and Southeast Texas, filed a complaint with OCR in August 2020.
The HHS investigation showed in one instance that the patient asked for an itemized billing statement in July 2019. This request was not fully complied with until March 2021.
Memorial Hermann has agreed to corrective actions including additional training of billing department employees and annual reporting requirements. The hospital system also paid $240,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Right of Access Violation Tags Houston Southwest Surgical Associates with $65,000 HIPAA Fine
OCR received a complaint in December 2020 against Southwest Surgical Associates, LLP (SWSA), located in the Greater Houston, Texas area, regarding a failure to provide an individual with access to her PHI.
The HHS investigation revealed that SWSA did not provide the requested information to the patient as required under the HIPAA Privacy Rule from February 2020 to March 2021.
SWSA agreed to corrective actions and paid $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
